Why accountants are now a prime target for impersonation fraud

Accountancy practices hold an unusually rich combination of client relationships, financial authority and predictable payment patterns. Clients expect payment instructions from their accountant. The accountant's email is treated as authoritative. The fraud doesn't need to be sophisticated; it just needs to land in the right inbox at the right moment.

The wave of attacks specifically targeting UK accountancy firms over the last several years has produced enough successful cases that the playbook is now well-developed. Attackers know exactly which mailboxes to target, which workflows to mimic, and which days of the month to strike.

Most start with a credential phish. A convincing email asks the partner to sign in to Microsoft 365 to view a document, the page is a perfect replica of the Microsoft sign-in, and the partner enters their password. Without MFA, that's the end of the story for the attacker. With weak MFA (SMS or no MFA on the legacy apps), the attacker can usually still get in.

Once in, they create inbox rules to hide their activity, watch the patterns for a few days, and pick their moment. Some attackers spend weeks in a mailbox before acting, which is part of why detection is hard.

MFA enforced via conditional access, with no legacy authentication exceptions. Modern phishing-resistant methods (Authenticator app with number matching, FIDO2 keys for partners) raise the bar significantly.

Impersonation protection in Defender for Office 365. The product specifically watches for messages that look like they're from a senior internal user but aren't, and for messages from external senders with display names that mimic internal users.

DMARC published in 'reject' policy, not 'none' or 'quarantine'. This stops attackers spoofing your domain to your own clients. The configuration takes a few weeks of careful work to get right without breaking legitimate mail flow, and it's well worth it.

Sensible mailbox rule auditing. Modern Defender will flag suspicious inbox rules (rules that move messages to RSS Feeds, or auto-forward to external addresses) as soon as they're created. That's how compromises get caught early.

A culture where clients know to phone the practice to confirm any change of bank details. Not because the practice asked them to in a one-off email two years ago, but because every engagement letter, every signature block, and every payment notification reminds them.

A small habit on the practice side: senior staff don't issue payment instructions by email alone. There's always a second channel - a phone call, a portal upload, a confirmation message.

A clear internal process for staff to escalate anything that feels off. The junior who calls a partner to say 'this email looks weird' is doing more for security than any product. Reward that, not punish it.

The first 24 hours matter most. The compromised mailbox should be isolated immediately, the session tokens revoked, the password reset, MFA reset, and all inbox rules audited. Defender's investigation tools will surface most of what was done.

Then the client communication needs to happen quickly. Anyone who received a message from the compromised account during the dwell period should be contacted directly. The temptation to hush it up makes everything worse, both legally and reputationally.

The ICO will care if personal data was accessed during the compromise. Most BEC incidents are reportable. A practice-aware partner will know exactly what evidence to preserve and what conversations to have with the regulator.

A practice where every mailbox has strong MFA, every external email has a clear visual marker, every client knows that bank detail changes don't happen by email, and the impersonation protection in Defender is doing its quiet work in the background.

When attacks come - and they will - they don't land. The technology piece is the smaller half. The culture and habit piece is what makes the difference between an attempted attack and a successful one.

Generic security awareness training doesn't move the needle much on BEC. Role-specific training does. A short briefing for senior partners on the patterns attackers use to impersonate them. A short briefing for client services on the bank details rule and how to handle pushback from a client who insists.

Pair it with a simulated phishing programme that uses realistic templates and provides immediate coaching rather than punishment. Over a year, the click rate drops and the report rate rises. That's the metric to track, not the headline 'training completion' number.